Protecting the Personal Privacy of Azerbaijani Citizens

The Law on Personal Data of 11 May 2010 No 998-IIIQ is a data protection law that was passed in the country of Azerbaijan in 2010. As has been the case with many other comprehensive data privacy laws that have been passed in the last decade, the Law on Personal Data of 11 May 2010 No 998-IIIQ draws inspiration from the European Unions General Data Protection Regulation or GDPR. As such, the Law on Personal Data of 11 May 2010 No 998-IIIQ lays out the legal requirements for the collection and processing of personal data within the country of Azerbaijan, as well as the punishment that individuals and organizations stand to face should they violate the provisions established by the law.

How are data controllers and processors defined the Law on Personal Data of 11 May 2010 No 998-IIIQ?

The Law on Personal Data of 11 May 2010 No 998-IIIQ does not make use of the terms data controller or data processor. Alternatively, the terms owner of personal data and operator of personal data are used in a similar context as a data controller or data processor. To this point, the law defines an owner of personal data as “the state or local self-government authority, legal, or physical person that exercises the right to possess, use, or dispose of information systems or resources of personal data in accordance with the legislation.” Conversely, an operator of personal data is defined as “the owner of personal data, that collects, processes, and stores personal data, or the state or local self-government authority, legal, or physical person, whom these functions have been delegated to, to a certain extent and on certain conditions by the owner of personal data.”

What are the duties of data owners and operators under the Law on Personal Data of 11 May 2010 No 998-IIIQ?

Under the Law on Personal Data of 11 May 2010 No 998-IIIQ, owners and operators of personal data within Azerbaijan are required to fulfill the following duties when collecting or processing personal data:

• Ensuring the legality and security of personal data as it relates to collection and processing.
• Compensating material and moral damage to the data subject as determined by the court as a result of the collection and processing of personal data and inadequate protection of such data.
• Creating conditions for conducting intelligence and counter-intelligence, as well as investigation activities in accordance with the legislation of the Republic of Azerbaijan, addressing relevant organizational and technical issues, and observing the confidentiality of the methods used to conduct these activities, in case the data controller acts as the data processor.
• Providing data subjects with information detailing pertinent information concerning the collection and processing of their personal data, including but not limited to the purposes for the collection or processing of their personal data, as well as the level of security and protection that will be afforded to such data.
• Registering all information systems with the relevant state authority within Azerbaijan, where applicable.
• Notifying both data subjects and the relevant state authority in instances where a data breach occurs.

What are the rights of data subjects under the Law on Personal Data of 11 May 2010 No 998-IIIQ?

Under the Law on Personal Data of 11 May 2010 No 998-IIIQ, Azerbaijani citizens have the following rights as it pertains to the protection of their personal data:

• The right to be informed.
• The right to access.
• The right to rectification.
• The right erasure.
• The right to object or opt-out.
• The right not to be subject to automated decision-making.
• The right to “require the protection of their personal data collected and processed in the information system.”
• The right to file a complaint or appeal with the relevant court or executive authority.

In terms of sanctions and fines that can be imposed against owners and operators of personal data who violate the law, the Law on Personal Data of 11 May 2010 No 998-IIIQ is enforced through the Administrative Violations Code. As a result, data owners and operators who violate the rights of Azerbaijani citizens under the Law on Personal Data of 11 May 2010 No 998-IIIQ are subject to the following punishments:

• Administrative liability.
• Criminal liability.
• A monetary fine ranging from AZN 300 ($180) to AZN 500 ($293).
• A term of imprisonment of up to seven years.

Although the country of Azerbaijan has close relations with the European, they are not formal members and as such, do not fall under the jurisdiction of the General Data Protection Regulation. Subsequently, the Law on Personal Data of 11 May 2010 No 998-IIIQ ensures that Azerbaijani citizens are provided with a level of data protection that is comparable to the level of protection that is afforded to citizens who reside within member states of the EU. As such, Azerbaijani citizens can have the assurance that any personal data that is collected from them will be treated with the utmost confidentiality and protection.